fix: remove style tags from discussion email notification HTML

feanil · claude · feanil · commit cddc25cd791b · 2026-04-24T10:15:37.000-04:00
`clean_thread_html_body()` was missing `<style>` from its tag denylist, allowing arbitrary CSS to survive sanitization and be rendered via the `|safe` filter in email templates. This enabled CSS-based email tracking (IP disclosure via background-image/import), content spoofing, and phishing via pseudo-elements. Uses `decompose()` rather than `unwrap()` so the CSS text content is also removed, not just the tag wrapper. Ref: GHSA-4xv3-5j4x-q8g4 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/lms/djangoapps/discussion/rest_api/discussions_notifications.py b/lms/djangoapps/discussion/rest_api/discussions_notifications.py
@@ -465,6 +465,14 @@ def clean_thread_html_body(html_body):
     truncated_body = html.unescape(truncated_body)
     html_body = BeautifulSoup(truncated_body, 'html.parser')
 
+    # Remove tags including their content (decompose, not unwrap)
+    tags_to_decompose = [
+        "style",  # CSS injection
+    ]
+    for tag in tags_to_decompose:
+        for match in html_body.find_all(tag):
+            match.decompose()
+
     tags_to_remove = [
         "a", "link",  # Link Tags
         "img", "picture", "source",  # Image Tags
diff --git a/lms/djangoapps/discussion/rest_api/tests/test_discussions_notifications.py b/lms/djangoapps/discussion/rest_api/tests/test_discussions_notifications.py
@@ -217,3 +217,16 @@ def test_strip_empty_tags(self):
         html_body = '<div><p></p><p>content</p><p></p></div>'
         result = clean_thread_html_body(html_body)
         self.assertEqual(result, '<p style="margin: 0"><p style="margin: 0">content</p></p>')  # noqa: PT009
+
+    def test_style_tag_removed_with_content(self):
+        """
+        Test that style tags and their CSS content are fully removed (CSS injection prevention).
+        """
+        html_body = (
+            '<p>Hello</p>'
+            '<style>body { background-image: url("https://evil.com/track"); }</style>'
+        )
+        result = clean_thread_html_body(html_body)
+        self.assertNotIn('<style>', result)  # noqa: PT009
+        self.assertNotIn('background-image', result)  # noqa: PT009
+        self.assertNotIn('evil.com', result)  # noqa: PT009
